04-17-2013 07:59 AM
I'm wondering if there is a way to create a policy based on workstations in a certain AD group.
Here's what I'm trying to accomplish... I want to have a security group in our Active Directory, say "Privileged Workstations" for a name. Any workstation that is a member of the "Privileged Workstations" group will have a static IP and will need to have access to applications that are outside of our normal scope of allowed applications. My goal is to setup a sort of self service group for our server team so if a server needs access to LogMeIn, for example, they can simply add the server to the AD group and I won't need to make any changes on my Palo Alto itself. I do not want to write my Policy based on username as the username for the servers is not consistently identified (unless there is a way to statically create a username to ip mapping?).
Has anyone set anything up like this before? Maybe I'm just missing something really easy, or maybe this just can't be accomplished.
Any help would be appreciated. Thanks.
04-17-2013 01:29 PM
04-18-2013 08:36 AM
when a user wants to get connect to for example LogMeIn then he is known on the AD-Server. The security group in the policy can be used because the group is also known on the AD-Server (the user have to be a member of this group)
The PAN-Agent is looking into the log of AD-Server ( it is not necessary to use an AD-Server) and sends this data to the Palo Alto. so the PA knows the IP and no user or ip-address has to be used. may the service or the app is changing.
04-18-2013 08:48 AM
Thanks for the idea, this seems like it would probably work for me. I'm not on 5.x yet but I'll look into an upgrade to potentially use this solution.
04-18-2013 09:09 AM
Hi Klaus -
Maybe my example of using LogMeIn wasn't the best example to use in this situation because that may require a user to go out and manually initiate a connection. What we'll really be doing is allowing a vendor to remotely connect to certain PC's in our company via TeamViewer or a similar app. It's possible that these machines won't actually be logged into by a user for months (they just sit there pulling and pushing data) and even when service is needed a user probably won't be logging into the machine before support tries to connect remotely. Because user's won't login often (if at all) any solution using a username won't work for us since the username will most liekly .
Maybe I misunderstood the solution you're proposing, if so just let me know.
Thanks for the response.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!